<<< Date Index >>>     <<< Thread Index >>>

Re: ACROS Security: HTML Injection in BEA WebLogic Server Console (2)



ACROS Security wrote:
> =====[BEGIN-ACROS-REPORT]=====
> 
> PUBLIC
> 
> =========================================================================
> ACROS Security Problem Report #2005-05-24-2
> -------------------------------------------------------------------------
> ASPR #2005-05-24-2: HTML Injection in BEA WebLogic Server Console (2)
> =========================================================================
> 
> Document ID:     ASPR #2005-05-24-2-PUB
> Vendor:          BEA Systems (http://www.bea.com)
> Target:          WebLogic Server and WebLogic Express, Service Pack 4
> Impact:          An HTML injection vulnerability exists in WebLogic
>                  Server Console, enabling attackers to hijack
>                  administrative sessions using cross site scripting
> Severity:        High
> Status:          Official patch available, workarounds available
> Discovered by:   Mitja Kolsek of ACROS Security
> 
> Current version 
>    http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt
> 
> 
> Summary
> =======
> 
> There is a vulnerability in WebLogic Server Console login page that 
> allows the attacker to assume administrator's identity and thus gain 
> administrative access to Server Console. It is possible to inject 
> malicious JavaScript in the login page so that when administrator logs in,
> his username and password are silently transmitted to attacker's web 
> server.
> 
> 
> Product Coverage
> ================
> 
> - WebLogic Server 8.1, Service Pack 4 - affected
> - WebLogic Server 7.0, Service Pack 2 - not affected
> - WebLogic Express 7.0, Service Pack 6 - affected
> 
> Older versions are likely to be affected as well.
> 
> 
> Analysis
> ========
> 
> Cross site scripting is a very common problem with web-based applications.
> Basically it is present whenever the server is willing to include user's
> input data, which contains some client-side script (e.g. JavaScript), back
> to the browser unsanitized, somewhere within the generated web page. This
> script, when executed, has access to all information within and about the
> received web page, including the cookies. 
> 
> The main differentiator of this particular vulnerability is that the 
> attacker need not trick the administrator into visiting a malicious web 
> site while being in an administrative session. Furthermore, in contrast to 
> other cross-site scripting vulnerabilities, this vulnerability allows the 
> attacker to also obtain administrator's username and password - and not 
> "only" his session identifier (ADMINCONSOLESESSION).
> 
> 
> Solution
> ========
> 
> BEA Systems has issued a security bulletin [1] and published a patch
> which fixes this issue.
> 
> 
> Workaround
> ==========
> 
> - Always close all browser instances/windows and delete all cookies before
>   logging in to WebLogic Server Console.
> 
> 
> References
> ==========
> 
> [1] BEA Systems Security Advisory BEA05-80.00
>     http://dev2dev.bea.com/pub/advisory/130
> 
> 
> Acknowledgments
> ===============
> 
> We would like to acknowledge Gordon Engel of BEA Systems for extremely
> diligent and professional handling of the identified vulnerability.
> 
> 
> Contact
> =======
> 
> ACROS d.o.o.
> Makedonska ulica 113
> SI - 2000 Maribor
> 
> e-mail: security@xxxxxxxxxxxxxxxxx
> web:    http://www.acrossecurity.com
> phone:  +386 2 3000 280
> fax:    +386 2 3000 282
> 
> ACROS Security PGP Key
>    http://www.acrossecurity.com/pgpkey.asc
>    [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]
> 
> ACROS Security Advisories
>    http://www.acrossecurity.com/advisories.htm
> 
> ACROS Security Papers
>    http://www.acrossecurity.com/papers.htm
> 
> ASPR Notification and Publishing Policy
>    http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm
> 
> 
> Disclaimer
> ==========
> 
> The content of this report is purely informational and meant only for the
> purpose of education and protection. ACROS d.o.o. shall in no event be
> liable for any damage whatsoever, direct or implied, arising from use or
> spread of this information. All identifiers (hostnames, IP addresses,
> company names, individual names etc.) used in examples and demonstrations
> are used only for explanatory purposes and have no connection with any
> real host, company or individual. In no event should it be assumed that
> use of these names means specific hosts, companies or individuals are
> vulnerable to any attacks nor does it mean that they consent to being used
> in any vulnerability tests. The use of information in this report is
> entirely at user's risk.
> 
> 
> Revision History
> ================
> 
> May 24, 2005: Initial release
> 
> 
> Copyright
> =========
> 
> (c) 2005 ACROS d.o.o. Forwarding and publishing of this document is
> permitted providing the content between "[BEGIN-ACROS-REPORT]" and
> "[END-ACROS-REPORT]" marks remains unchanged.
> 
> =====[END-ACROS-REPORT]=====
To exploit this an admin user still needs to click on a link to a URL
right? or is the malicious javascript inserted into the login page via
http splitting?